Which is the Most Secure Web Browser?

Look at the thread title, now read the part you wrote yourself which I marked bolt. Does it match?

Look at the thread title, now read the part you wrote yourself which I marked bolt. Does it match?

May I hijack this thread and discuss the secureness of the LYNX browser?

 

@Kees. CWS makes it sound that sandboxed programs having access to the system is a weakness in SBIE. In my post, all I wanted to do was point out that since Sandboxie is a sandbox program, sandboxed programs having access to the system is not a weakness but the way it has to be

Whats wrong with that?

Bo

 

I do I just forgot to mention that thanks!!

 

Lynx

 

Let's clear all this sandbox confusion.

Similarities

Both browser sandbox (Chromium's) and standalone sandbox (Sandboxie) share similarities in that both utilize OS internal mechanisms to reduce privileges/restrict access of processes they control/supervise.

http://www.chromium.org/developers/design-documents/sandbox/Sandbox-FAQ
http://www.chromium.org/developers/design-documents/sandbox

http://forums.sandboxie.com/phpBB3/viewtopic.php?t=14454

Use Process Explorer and check for yourself if you don't believe it.

Differences

Where the difference lies is mainly in design and scope of protection.

a) Browser sandbox is purely user-mode (concept of least privilege extends to the code that controls the sandbox) whereas Sandboxie utilizes a driver for it's broker to control/supervise sandboxed processes.

b) Browser sandbox is meant only browser's own target processes whereas Sandboxie is meant to sandbox programs other than itself.

Since sandboxed processes are restricted, the 'broker' does the policy-allowed actions on behalf of the sandboxed processes. Chromium's broker has less to do when compared to Sandboxie where it has to supervise/allow more interaction between sandboxed programs. Chromium's broker run with less privileges than Sandboxie's.

Why it's pointless to sandbox a browser like Chrome

Both sandboxes are similar under the hood (the processes have similar sandbox restrictions). In fact, Chrome's sandbox has an upper hand in that it provides isolation in between tab processes.

Sandboxing a browser like Chrome with Sandboxie means you are just overlapping and introducing additional code - possibly increasing the attack surface. Not really worth it.

Usage tracks and privacy concerns can be dealt with built-in options and Incognito Mode,etc.

What if a browser-specific exploit manages to escape Chrome's sandbox?
By design, Sandboxie presents little to no hurdle for such an attacker (may even weaken the browser) seeing:

a) the sandbox model is similar
b) it adds additional code to the browser

The only time it may be able to help is if the attacker doesn't bother (thanks to security by minority advantage). It is your choice but please don't claim it makes Chrome any more secure than it is.

So, when should I use Sandboxie?

Using Sandboxie with Firefox currently is fine. Make no mistake though. The sandbox restriction provided by Sandboxie applies only to firefox.exe with no separation/isolation between tabs. Mozilla wants to adopt the sandboxing model used in Chromium because it is a sound and valid model. In fact, more programs should be designed as such.

Sandboxie is useful. Just use it for programs that do not come with it's own sandbox.

So, what is the most secure browser?

Chrome/Chromium is much more secure than the competition thanks to it's security model. Secure here does not mean private/anonymous. You can always tweak Chrome/Chromium for privacy.

If you are still not comfortable with the idea of a browser 'so attached to Google', use other browsers that are less attached to Google or those that are more dedicated to the concept of privacy/anonymity like Tor browser, etc.

 

Why is it that when people discuss what browser is most secure they start bringing in unrelated programs like sandboxie? Sandboxie does not have to do with any of this. Talk about the browsers, even takl about browser extensions, but it seems so silly to discuss the technical merits of *other programs* as a justification for using a separate browser over another.

If you wan tto have a productive discussion, first focus on Firefox and Chrome and IE, then start discussing other programs.

And as for Aviator, do not use it if you care about security.

 

Probably because whenever this subject comes up, it inevitably leads to Chromes sandbox.

 

Yes, it does. And suddenly people feel the need to change the topic.

 

Probably because Chrome users regard that sandbox as the beginning and end of the discussion, like its existence trumps all other factors and considerations. It also uses a very narrow definition of security, a point that's been made repeatedly in the thread.

 

True, it is definitely highly regarded. If you feel that something else is more important, discuss it.

But in my opinion these topics never go anywhere because the goal posts keep getting pushed. Suddenly the topic isn't about the browsers themselves, but outside technologies. Maybe Firefox and Sandboxie is more secure than Chrome, maybe not - but that's not really what is up for discussion. The question is about browsers.

That's my 2 cents. I'm not interested in debating whether one is more secure than the other, I'm sure most are aware of my opinions.

 

I'd personally prefer a built-in sandbox for browsers so I don't have to worry about compatibility, especially with other types of security programs.

But then again, none of this really matters ITW, since low hanging fruits are more than plentiful enough.

 

Safeguy, you might like to read Tzuks posts in this thread.
http://forums.sandboxie.com/phpBB3/viewtopic.php?f=5&t=11788&sid=491b48bb3a100f9b27b13dd772eeefbe

Bo

 

That post from him is from 2011. It's been 4 years and there have been major changes to Sandboxie.

 

Hungry, actually there are 2 posts by Tzuk in that thread and its 3, if you count the one that he quotes himself from another thread. Those posts are good now as they were in 2011.

I agree with this opinion:

This quote is perfect reply to what I quoted from Safeguys post.

Bo

 

@HM
If you look through the posts, you'd see that I already did.

 

Trust me Bo. I've read those. Those posts were written in 2011 before Sandboxie changed it's working methods in V4. His point back then was Sandboxie may help. Read again my post...you left out this part in the quote:

The reason why Sandboxie's sandbox cannot help Chrome any further is because they share similar restrictions in their sandbox model (renderer processes in Chrome's sandbox run under Untrusted IL, just like sandboxed processes do in Sandboxie).

In fact, Chrome's sandbox is stronger here since:

a) renderer processes are isolated from one another
b) Chrome's broker runs under Medium IL whereas Sandboxie's sbiesvc.exe runs under High IL

Adding Sandboxie to Chrome also messes and weakens Chrome's own sandbox restrictions. If an exploit is able to escape Chrome's sandbox, it would manage to escape Sandboxie's too. An analogy would be putting on 2 condoms. It just adds friction.

 

I probably responded to Tzuk's post then. Frankly, as I know considerably more now than I did then, I can only think of more reasons to support those posts I made.

But as I said, the merits of the browsers should be the discussion, not third party software. And I don't think it would be very fun to take part.

I look forward to hopefully reading a conversation that no longer involves third party tools, as the topic suggests.

 

I look forward to a realistic comparison of similar products. Saw too much of these same flawed comparisons between security suites and internet firewalls. Using that standard, the product with the most features will always win the comparison. That might serve the vendors but not the users.

 

I agree.

 

That doesn't matter, sbieSvc.exe runs outside the sandbox. Sandboxed programs run untrusted, lower than low. It cant be more restricted that that, if they were more restricted, nothing would run sandboxed.

Bo

 

Exactly. You proved my point.

Chrome's renderer processes are already running with restricted token, job object and Untrusted IL without Sandboxie. So, what advantage do you get from adding in Sandboxie?

I wanted to highlight Sandboxie's design limitation here (not it's fault) - it simply needs that high privilege to supervise and sandbox other apps whereas Chrome's broker doesn't need to because it only needs to supervise it's own renderer processes. Concept of least privilege.

http://www.chromium.org/developers/design-documents/sandbox

From an attacker's POV, having sbieSvc.exe doing the supervision and sbiedll.dll injected into the browser means additional code/possible pathway to sandbox escape or elevation of privilege; compared to just having Chrome's broker.exe only executing the policy-allowed calls.

That's why I keep repeating - use Sandboxie to sandbox non-sandboxed apps. Just don't mess with Chrome's sandbox...it doesn't need it.

 

I wouldn't get any, I don't use Chrome. And you probably wouldn't either. But, look at the examples below, wouldn't our less savvy friends who use Chrome be more secure if they were running sandboxed? I mean, people who go click click and click.

Bo

 

FleischmannTV actually 100% proved that SBIE does actually mess in Chrome's security via job object and SID, FleischmannTV said that if you run Google Chrome inside Sandboxie, this job object does not exist and now Chromium processes can create child processes unless you apply start/run restrictions and once you have applied these restrictions you get the same as you would have gotten before without Sandboxie-I saw this on Sandboxie forums (credits to Yuki, since he gave me this link):
http://forums.sandboxie.com/phpBB3/viewtopic.php?f=17&t=19260

Also, as Yuki said:
While SBIE uses anonymous user, Chrome uses null SID except for logon SID. Though anonymous user is very well restricted, null SID is more severe, more severe here means that Google Chrome's null SID is much more restricted than even SBIE's anonymous user/untrusted integrity level.

Bo. Safeguy, Hungry Man, the main reasons why I run Google Chrome sandboxed are the following: every web-browser has weakpoints and Sandboxie even though it truly messes security and protection of Chrome's sandbox (FleischmannTV already 100% proved it), Sandboxie still covers all weakpoints of any and all web-browsers including Google Chrome (like java, flash players social engineering and similar stuff, these are main reasons why people get infected at least over 99% of the time)-this is the short answer) which are unprotected-short answer) and please read here why I use and run Google Chrome sandboxed under Sandboxie-this is long answer:
I'm sure you will all agree with me, because I wrote only what others wrote:

 

Hello Bo,

I don't understand what your examples have to do with how secure a Browser is.

• Becoming infected by clicking to install malware is not a Browser problem, but a user problem.

• Opening a webmail attachment which results in an infection is not a Browser problem, but a user problem.

The OP, Rafales, asks about Browser security in context of an article on that topic he links to. The only statement in the article that makes much sense is:

It's hard to disagree with that!

Browser vulnerabilities are weaknesses in the Browser code, not weaknesses in Plug-ins. Plug-in vendors list their own vulnerabilities.

Often, when an attack against a Browser is reported, it involves a plugin, as with the sensational zero-day attack against Internet Explorer last year which used Flash as the trigger:

A Technical Analysis of CVE-2014-1776
http://blog.fortinet.com/post/a-technical-analysis-of-cve-2014-1776

Now, if you want to consider all attack vectors, then no browser is "secure" without other preventative measures in place. Use your sandbox, or whatever. But this is surely a topic for another thread, whose title might be, "Security while browsing."

Also, I asked in a previous post if anyone is aware of attacks in the wild exploiting any specific browser vulnerabilities listed in various databases on line.

There may be some, but so far, no one has cited any.

regards,

----
rich

 

I'm not yet got home and can't post full reply, but your way of quote is misleading. What you bolded is not what I said and actually there can't be "much more restricted" as anonymous logon user is very well restricted already, besides intintegrity level is no relevant here.